{"id":2220401,"url":"http://patchwork.ozlabs.org/api/1.1/covers/2220401/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260407075343.220555-1-acelan.kao@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.1/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260407075343.220555-1-acelan.kao@canonical.com>","date":"2026-04-07T07:53:41","name":"[SRU,Q,0/2] BUG: kernel NULL pointer dereference in amdgpu(regression)","submitter":{"id":2976,"url":"http://patchwork.ozlabs.org/api/1.1/people/2976/?format=json","name":"AceLan Kao","email":"acelan.kao@canonical.com"},"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260407075343.220555-1-acelan.kao@canonical.com/mbox/","series":[{"id":498933,"url":"http://patchwork.ozlabs.org/api/1.1/series/498933/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=498933","date":"2026-04-07T07:53:41","name":"BUG: kernel NULL pointer dereference in amdgpu(regression)","version":1,"mbox":"http://patchwork.ozlabs.org/series/498933/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/2220401/comments/","headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=ay0dtB/b;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fqdkS6zRyz1xy1\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 07 Apr 2026 17:54:08 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wA1Fz-0001ue-8V; Tue, 07 Apr 2026 07:53:55 +0000","from mail-pj1-f41.google.com ([209.85.216.41])\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <acelan@gmail.com>) id 1wA1Fx-0001uC-Ko\n for kernel-team@lists.ubuntu.com; Tue, 07 Apr 2026 07:53:53 +0000","by mail-pj1-f41.google.com with SMTP id\n 98e67ed59e1d1-35da9c0c007so4484795a91.2\n for <kernel-team@lists.ubuntu.com>; Tue, 07 Apr 2026 00:53:53 -0700 (PDT)","from localhost ([2001:67c:1562:8007::aac:4468])\n by smtp.gmail.com with ESMTPSA id\n 98e67ed59e1d1-35ddb973ffasm14965866a91.2.2026.04.07.00.53.48\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 07 Apr 2026 00:53:50 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775548431; x=1776153231; darn=lists.ubuntu.com;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:sender:from:to:cc:subject:date:message-id:reply-to;\n bh=Q1MpwvxmoPaSw7wZDuWa/T8gSG/hC1pD83lbneZO6MY=;\n b=ay0dtB/boKW6+RMEtUN5U+oovGqzOo54lLPCS9OxJsK7ro9E5HTtdjQu2bjtYax5IT\n V30LXxrN3qgLSIA0HJMQ+H/Nct/NHKUVBlt2wlqK+1YVrMW76L8PkmxOSFT+yE/mpOeP\n bsSN3YhneH5s59QQhNpZMR3sCLgK92DEg7zzsvP6St6wbWFNTZOGEpD9nGS5dw2vWLfi\n JKvKVV1uL6IiDXupo2zzaUUU54NRfMDHxTdlzLMBkNMKijZ9nEm1OQ22rmdjcICdwkXa\n wFCuqiIRlfYF5F1QRMPWxdhAjVNTLBurWTfbKyn5jj6IiSpmbQyGE6paR98nEuOniAB2\n wKZA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775548431; x=1776153231;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:sender:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=Q1MpwvxmoPaSw7wZDuWa/T8gSG/hC1pD83lbneZO6MY=;\n b=fH8UkeeeMM/BokhGiJWV+yxwBSB5XXb77J++jCUKcPuMeL6VmMReGi3rOkIVwuOi+z\n hbv8BzQ/mYYpyIMlxxB38lKCadlk02Q0hvxj8sFmka06Gtro+sQHmPbhKqoCcH6x2Hrk\n AfnixNcWMILi6e63Cw5meZpimih/+jciTMAryHwtAGazsSJOFM6DJfJQZ/GEaMSYVi/u\n SyUQtmS10wlV8ucUcreTP7B8GeCkO29PwOj0vu1TGcuvgk6FFNNRtwwi5g10UuT219m1\n i0n84DB+bQmI4blFB4cZuYmy3kUBF1ECPnX1Jr5jIqv/ejImQ2xSdplG8YNsPmyJdWTt\n s2Ug==","X-Gm-Message-State":"AOJu0Ywnw/u5VtwGLSwkcazXXMWcotdwSeSbqTCTaqs7fygc5d8mvDMl\n ZTQdmORmxbaXpjvrMKB4dzLT+Pms3KXNj+YhNzA9JkqOAQQ3SRMwmVKGawRVCvxb","X-Gm-Gg":"AeBDietVFcshy2BLHVrvkbRnCzQwVH7FdW1Rnk+VdIfdR+DEEm3HYgxsokh6ZL10ige\n 7ay1z3sZR2bhLKRlSucFs2fDkcY/R3zq1Clk6rHmbwB9y1zR5XOojYqBUSzuNBLFVNpY4Xg8Z2K\n NAX192SzhPN325YTzPBkUJy9m0JTrq3JKttfFxKQV0WD3R9x4jFPK4n6HH0/x3lLUowPd2DJ+QK\n npIgH49aHildbgpDecBxL7KQkaj7+pxBJFJyDZIhVIfPPB/+rZTqzYsQ7ap9dD6afE+1ENuPVOi\n Uq+1zJfvXLhDkw+mJB31Pm+J8pg7jPI4zlI3F7NRl8GC96q/AKHeH7I6nAWUfbY+iAcnwlqptO1\n qAFa3g2TvL5PgzjKFgLWKkvbOrfuaW4czVFMXG8/3KBy7LnbD4Sa3hO585LuHWiCxcZXQehaVvV\n 6dNwObhQ==","X-Received":"by 2002:a17:90a:e70d:b0:35c:8ac:ef74 with SMTP id\n 98e67ed59e1d1-35de679c983mr14186512a91.6.1775548430980;\n Tue, 07 Apr 2026 00:53:50 -0700 (PDT)","From":"AceLan Kao <acelan.kao@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][Q][PATCH 0/2] BUG: kernel NULL pointer dereference in\n amdgpu(regression)","Date":"Tue,  7 Apr 2026 15:53:41 +0800","Message-ID":"<20260407075343.220555-1-acelan.kao@canonical.com>","X-Mailer":"git-send-email 2.53.0","MIME-Version":"1.0","Received-SPF":"pass client-ip=209.85.216.41; envelope-from=acelan@gmail.com;\n helo=mail-pj1-f41.google.com","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"From: \"Chia-Lin Kao (AceLan)\" <acelan.kao@canonical.com>\n\nBugLink: https://bugs.launchpad.net/bugs/2144577\n\n[Impact]\nSystem freezes during boot on machines with AMD Southern Islands (SI) GPUs\nusing the amdgpu driver\n.\nThe amdgpu driver calls flush_gpu_tlb_pasid() in a workqueue, but on SI\nhardware this function pointer is NULL. The kernel hits a NULL pointer\ndereference in amdgpu_gmc_flush_gpu_tlb_pasid() and crashes.\n\nError log:\nkernel: BUG: kernel NULL pointer dereference, address: 0000000000000000\nkernel: Workqueue: events amdgpu_tlb_fence_work [amdgpu]\nkernel: RIP: 0010:0x0\nkernel: Call Trace:\nkernel: amdgpu_gmc_flush_gpu_tlb_pasid+0xfd/0x480 [amdgpu]\nkernel: amdgpu_tlb_fence_work+0x77/0x110 [amdgpu]\n\nHits every boot on affected hardware. Regression from 6.17.0-14 to 6.17.0-19.\n\n[Fix]\nTwo patches fix this together:\n1. f4db9913e4d3 (\"drm/amdgpu: validate the flush_gpu_tlb_pasid()\")\n   Adds a NULL check for flush_gpu_tlb_pasid before calling it.\n   Upstream in v7.0-rc1.\n2. e3a6eff92bbd (\"drm/amdgpu: Fix validating flush_gpu_tlb_pasid()\")\n   Fixes the first patch — the early return skipped the unlock, causing\n   a deadlock. Changes the bare return to a goto that unlocks first.\n   Upstream in v7.0-rc1.\n   Fixes: f4db9913e4d3\n\n[Test Plan]\nOn a machine with an AMD SI GPU (Tahiti, Pitcairn, Verde, Oland, Hainan)\nbooted with amdgpu.si_support=1:\n\n$ sudo reboot\n\nWithout patches: kernel NULL pointer dereference during boot, system freezes.\nWith patches: system boots normally, no crash or error in dmesg.\n\nCheck dmesg after boot:\n$ dmesg | grep -i \"BUG\\|NULL pointer\\|amdgpu\"\n\nWithout patches: \"BUG: kernel NULL pointer dereference\" present.\nWith patches: no BUG or NULL pointer lines.\n\n[Where problems could occur]\nCould break TLB flushing on amdgpu.\n\nIf the NULL check gates too broadly, TLB flushes could be skipped on GPUs\nthat do have flush_gpu_tlb_pasid. This would cause stale TLB entries and\nGPU page faults or rendering corruption.\n\nThe unlock path change in the second patch touches the reset/lock logic in\namdgpu_gmc_flush_gpu_tlb_pasid(). A wrong goto target could leave the\nreset domain lock held, deadlocking the GPU.\n\n[Other Info]\nBoth patches are upstream in v7.0-rc1.\n\nPrike Liang (1):\n  drm/amdgpu: validate the flush_gpu_tlb_pasid()\n\nTimur Kristóf (1):\n  drm/amdgpu: Fix validating flush_gpu_tlb_pasid()\n\n drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 6 ++++++\n 1 file changed, 6 insertions(+)"}